Pages

Friday, June 2, 2017

Mobile Messenger apps & trust in general

The thing about trust is it's a very individual matter. For example I do trust Google (to a certain degree), however I do not trust WhatsApp or even less Facebook. There might be no logic in this, but fact is I always disliked that the latter had a copy of my address book whereas I didn't hesitate storing it with the former. Also, I personally don't trust Apple software due to the fact that their security bugs are not being fixed in a timely manner or their way of pre-configuring their OS's in an insecure way (i.e. at least with MacOSX 10.x the firewall is still disabled as default). As company storing my data I'd probably trust them. That of course is my personal opinion.

Who's ever software you are using or in whatever cloud your data is stored you have to put some amount of trust in that company/person/community. And that's the beauty of open source software: you don't have to trust you can actually be pretty much sure about what it is doing - or not doing. That is of course unless you can't read code...
...which includes me. So I just have to hope that someone who actually can read code would file at least a bug report. Which again puts me back to the question of trust - but with a much higher level of trust compared to closed source software. With large agencies spying on our communication open source software and well documented encryption becomes even more important. Which brings me to the main part of this post: mobile messenger apps.

At least since WhatsApp has been sold to Facebook new messenger apps are gaining popularity. As already mentioned, I did never really trust WhatsApp. The idea behind it is just great, however it showed up a lot of security/privacy issues right from the start. And as they began providing their service for free (letting go of the annual "fee" of 0,99€) my distrust became even worse. How would they make money - if not with our (meta)data...? Then they started implementing Signal's end-to-end encryption which I appreciated a lot. However, last summer their privacy policy changed allowing them to submit metadata to Facebook. (Currently they seem to have been stopped - at least for parts of Europe). Besides that I always opposed of WhatsApp being seen as kind of the new standard way of communication (yes children, we even used phones to actually phone - or text, of course ;-) ).

Anyway, I decided to leave WhatsApp. Leaving WhatsApp made my messenger contact list a lot "less crowded". And that is the biggest drawback: you might not be able to convince every- or even anybody to switch messenger apps. Well, I consider it their loss ;-)
(Back in the nineties I tried convincing people to encrypt mails with PGP - and failed...)

It's really hard to make people switch away from their beloved WhatsApp messenger app. Hearing stuff like "I don't have anything to hide" makes me want to pull my hair... It's bullshit. Everybody has something to hide. Or at least stuff they don't want anybody to know. Yes, I know - and already stated that above - WhatsApp messages are end-to-end encrypted and as this are pretty much safe. However, WhatsApp/Facebook is collecting and makes use of their user's metadata. Who did you chat with? How long? At which time of the day (or night)? That does not seem sensitive data for you? You might want to take a look at "Why metadata matters" by Kurt Opsahl of EFF. Or even go a step further by reading these quotes (found here):

"metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.” - NSA General Counsel Stewart Baker

“We kill people based on metadata.” - General Michael Hayden, former director of the NSA and the CIA

(Yes, this is a very extreme way of putting it...)

Of course to work properly a messenger would need to make use of at least some minimum amount of metadata: sender and receiver have to be somehow addressable...

To sum this up: the best messenger would feature end-to-end encryption, does not store metadata (just the bare minimum) and would be open source.

There are at least three messenger apps I'd like to mention here. All are available at least for Android and iOS (some even for desktop and Windows Phone):

All three encrypt messages end-to-end and Signal and Wire are even completely open source software (client and server) whereas Threema is at least partly open source (s. here).

Messenger

E2E

Open Source

Registration

Reads address book

Signal

yes (Axolotl)

yes

Phone number

yes

Threema

yes (NaCl)

no (partly)

anonymous

optional

Wire

yes (Proteus)

yes

at least eMail/Phone number optional

optional

Registration

The registration process differs a little across those messengers. With Signal you need to verify your phone number and if you have contacts in your address book who also joined Signal they will appear. However, your address book is not stored on Signal's servers (s. here):

Signal periodically sends truncated cryptographically hashed phone numbers for contact discovery. Additionally, all connections to our servers are fully encrypted. Names are never transmitted, and the information is not stored on our servers. The server responds with the contacts that are Signal users and then immediately discards this information. Your phone now knows which of your contacts is a Signal user and notifies you if your contact just started using Signal.

Also, they only store a minimum amount of metadata, read their privacy policy here. Signal's servers are under US jurisdiction. However, there is not much data they could hand over...

You may use Threema completely anonymously if you wish. An ID is generated the first time you fire it up and this ID is pretty much all you need. You may associate your ID with your phone number or email address and also sync your address book - but's that's completely up to you. They also just have as little data as they need kept on their servers (which reside within Switzerland).

If you sign up to Wire using their website the only thing you need is an email address. Adding a phone number and syncing address books is optional then. Find their privacy policy here. (I did not quite find out what kind of data and how long it is stored with them). Wire's servers are also located in Switzerland.

The Extras

One thing Wire puts itself ahead of the other two is it's multidevice capability: you can install it on every smartphone, tablet or PC/Mac and messages will be synced to all devices - if they are not older then 30 days (I think). That's a real goodie!!

Threema has the ability to make complete (encrypted) backups of your identity and/or chat history. You can install Threema on a new device and then use a backup to restore everything. Your buddies won't even notice because your key has not changed. With Signal and Wire you'd have to verify identities again.

Signal at least let's you export your chats as plain text which you may import again once you need to reinstall. Also, Signal may be used as your default SMS/MMS app on Android.

Contact Verification

All three messengers let you verify your contact's identities by checking their public keys. (This will minimize the risk of man-in-the-middle attacks.) With Signal and Threema this is made very easy by scanning a QR code. In Wire you have to compare them manually and as you have one key per device sometimes even more than once. Hopefully this process will be improved in the future. In any case you should verify keys "face-to-face" and not via mail or even the messenger itself!Threema even displays the amount of trust you put into someone's identity:

one red dot: you've added the contact by ID only

two orange dots: either phone number or email address has been verified and you have at least one of those in your address book

three green dots: you actually verified keys via QR scan (best!)

How much is it?

Signal and Wire are free: Wireplans to add some paid extras in the future and Signal lives on donations. Threema does cost a few bucks (Android: 2,99€/iOS: 3,49€) but is totally worth it - and you actually know how they make money!

I think all three make a very good alternative to WhatsApp. However, Wire seems a little buggy at while and Signal and Threema are probably a little easier to get used to at first. But Wire on the other hand may be installed on as many devices as you wish...

Aaaand another one: Telegram

There is a fourth alternative to WhatsApp which I'd like to mention here: Telegram. I'm not quite sure what to think of it. Unlike the other three it does not encrypt chats end-to-end per default. Telegram chats are encrypted client-to-server and server-to-client. They are being stored on Telegram's servers for you to have access from any device you wish - which is quite handy. (Telegram is available for iOS/Android/Windows/Linux/Mac and web.) Those "cloud chats" are also encrypted, though and encryption keys are distributed over several data centers in different jurisdictions which makes it nearly impossible to access the data within only one data center. However, you have to take their word for it and of course it is theoretically possible for Telegram to "read" cloud chats. You may always switch to "secret" chats which are then end-to-end encrypted.
You can not backup secret chats, whereas cloud chats are always available once you (re)install Telegram.
The encryption protocol is self made and is called "MTProto". You'll find a lot of negative comments about it for not being based on proved encryption mechanisms and it's widely being marked as not as secure as other protocols. However, I did not find anything about it being actually broken or having been exploited until now. If something like this happens I'd guess they fix it just as any other software.

As I understand, "MTProto" and the client software is open source, however the server software is not.

Registering with Telegram will require your mobile number. As additional security feature Telegram (as well as WhatsApp) is offering a two-factor-authentication - and I strongly recommend using it (as I would in WhatApp)! It's simple: just set a password. Then you don't rely on SMS alone.

One thing that makes me wonder a little is the fact that they don't actually make money with their service. It's being funded completely by Pavel Durov who made a lot of money with "VKontakte". See their FAQ here. Don't get me wrong, there's nothing bad in giving good stuff for free - but running the infrastructure for this kind of software cannot be cheap and someday all money is gone if nothing flows back... Just makes me wonder.

Messenger

E2E

Open Source

Registration

Reads address book

Telegram

optional (MTProto)

yes (partly)

Phone number

yes (optional?)

Again, I'm not quite sure what to think of it. Reading their FAQs and listing all the features Telegram can show off with I don't think it would be a bad choice. I do not have reason to really distrust this service. Also, I like their kind of humor (read their privacy policy):

Everything you delete is deleted forever. Except for cats.We never delete your funny cat pictures, we love them too much.

Their privacy policy also states that your contact's names and phone numbers are being stored on Telegram's servers in order to notify you in case anybody starts using it. I'm not sure if this is optional on smartphones. It is with the desktop application. I don't really get what kind of metadata is being collected on Telegram's servers and how long it's being stored. If you decide to switch to Telegram I'd recommend reading their privacy policy.

To my knowledge Telegram has - compared to the other three messengers - the highest download rate. You might be lucky and some of your buddies are already using it!